search

ZupIT / horusec

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
https://horusec.io/
Apache License 2.0
1.15k stars 189 forks source link

Running the Horusec tool using Docker (Using version: 27.2.1, ) #1178

Open Shashi2504 opened 2 months ago

Shashi2504 commented 2 months ago

What happened: --> I did all the pre-installations before running the Horusec tool like installing Docker, then installing horusec, and started running horusec tool using Docker in the application folder. --> But I was getting the following error "level=error msg="{HORUSEC_CLI} Your docker version is below of: " error=19.3". Even though my current version is above the required version which was mentioned in the error message. --> This was my current Docker version while using the tool "Docker version 27.2.1, build 9e34c9b" What you expected to happen: To start the Horusec tool and show the vulnerabilities in the application folder.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?: N/A

Environment:

0xtiago commented 2 months ago

Hi, I dont know if it helps you, but currently I am using a beta version in order as a workaround:

image="horuszup/horusec-cli:v2.9.0-beta.3"; \
docker pull $image ;\
docker run --rm \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v $(pwd):/src/horusec $image horusec start \
    -p /src/horusec -P $(pwd)
Victor725 commented 2 months ago

I encountered the same problem, and I tried to use the beta version. But I still got the same error

time="2024-09-23T09:06:23Z" level=warning msg="{HORUSEC_CLI} Config file not found"
Error: docker not found. Please check and try again
time="2024-09-23T09:06:24Z" level=error msg="{HORUSEC_CLI} Your docker version is below of: " error=19.3
Usage:
  horusec start [flags]

Examples:
horusec start

Flags:
  -t, --analysis-timeout int                 The timeout threshold for the Horusec CLI wait for the analysis to complete. The minimum time is 10 (default 600)
  -a, --authorization string                 Authorization token to use on Horusec server. Read more: https://docs.horusec.io/docs/tutorials/how-to-create-an-authorization-token (default "00000000-0000-0000-0000-000000000000")
  -C, --certificate-path string              Path to certificate of authority. Example -C="example/ca.crt"
  -P, --container-bind-project-path string   Project path in host to be used on Docker when running Horusec inside a container
  -c, --custom-rules-path string             Path with custom rules that should be used by Horusec engine
  -D, --disable-docker                       Run Horusec without docker. If enabled it will only run the following tools: horusec-csharp, horusec-kotlin, horusec-java, horusec-kubernetes, horusec-leaks, horusec-javascript, horusec-dart, horusec-nginx
  -G, --enable-commit-author                 Enable to search commit author of vulnerabilities
      --enable-git-history                   Run Gitleaks and search for vulnerabilities in all git history of the project https://github.com/zricethezav/gitleaks
  -w, --enable-owasp-dependency-check        Run Owasp Dependency Check tool https://github.com/jeremylong/DependencyCheck
  -j, --enable-shellcheck                    Run ShellCheck tool https://github.com/koalaman/shellcheck
  -F, --false-positive strings               Ignore a vulnerability by hash and set it to be false positive. Example -F="hash1, hash2"
      --headers stringToString               Custom headers to send on request to Horusec API. Example --headers='{"X-Auth-Service": "value"}' (default [])
  -h, --help                                 help for start
  -u, --horusec-url string                   The Horusec server address to send analysis results (default "http://0.0.0.0:8000")
  -i, --ignore strings                       Paths to ignore in the analysis. Example: -i="/path/to/ignore, **/*_test.go, **/assets/**" (default [*tmp*,**/.vscode/**])
  -s, --ignore-severity strings              The level of vulnerabilities to ignore in the output ("LOW"|"MEDIUM"|"HIGH"). Example: -s="LOW, HIGH" (default [INFO])
  -I, --information-severity                 Enable information severity vulnerabilities. Information vulnerabilities can contain a lot of false positives
  -S, --insecure-skip-verify                 Disable the certification validation. PLEASE, try not to use it
  -O, --json-output-file string              Output file to write analysis result. This flag should be used with --output-format
  -o, --output-format string                 Output format of analysis ("text"|"json"|"sarif"|"sonarqube"). For json, sarif, and sonarqube --json-output-file is required
  -p, --project-path string                  Path to run an analysis. If this value is not passed, Horusec will ask if you want to run the analysis in the current directory (default "/")
  -n, --repository-name string               Send repository name to Horusec server, by default sends the actual directory name (default "/")
  -r, --request-timeout int                  The timeout threshold for the request to the Horusec server. The minimum time is 10 (default 300)
  -e, --return-error                         Return exit code 1 if found vulnerabilities. Default value is false (exit code 0)
  -R, --risk-accept strings                  Ignore a vulnerability by hash and set it to be risk accept. Example -R="hash1, hash2"
      --show-vulnerabilities-types strings   Show vulnerabilities by types ("Vulnerability"|"Risk Accepted"|"False Positive"|"Corrected"). Example --show-vulnerabilities-types="Vulnerability, Risk Accepted" (default [Vulnerability])

Global Flags:
      --config-file-path string   Path of the configuration file (default "/horusec-config.json")
  -l, --log-file-path string      Path of log file (default "/tmp/horusec-2024-09-23-09-06-23.log")
      --log-level string          Set log level ("panic"|"fatal"|"error"|"warn"|"info"|"debug"|"trace") (default "info")